Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
462
Views
0
Helpful
2
Replies

ASA 5520 Dual Active ISPs

Robert Murdock
Level 1
Level 1

‎02-05-2015 06:33 AM - edited ‎03-11-2019 10:27 PM

I currently have 1 ISP (Verizon) coming in over bonded T1s.  This ISP has NAT pointing to my critical servers that have clients coming in to connect to them via port 8421 and 3024.  We are looking to bring in another ISP.  I know that my 5520 can do dual active ISPs.  My question is how do I route my WWW and HTTPS traffic out the new ISP (Comcast).  I read on a post that I could do two default routes like below

route (Verizon) 0.0.0.0 0.0.0.0 X.X.X.X

route (Comcast) 0.0.0.0 0.0.0.0 Y.Y.Y.Y 2 (WITH A METRIC OF 2)

Next it says to static route tcp traffic over port 80 like so

static (Comcast, inside) tcp 0.0.0.0 80 0.0.0.0 80

static (Comcast, inside) tcp 0.0.0.0 443 0.0.0.0 443

With these commands following

sysopt noproxyarp inside

nat (inside) 1 0.0.0.0 0.0.0.0

global (Verizon) 1 interface

global (Comcast) 1 interface

-----

This for some reason did not work.  Am I missing anything?

Hardware:   ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.05

 0: Ext: GigabitEthernet0/0  : address is 6400.f123.bfde, irq 9
 1: Ext: GigabitEthernet0/1  : address is 6400.f123.bfdf, irq 9
 2: Ext: GigabitEthernet0/2  : address is 6400.f123.bfe0, irq 9
 3: Ext: GigabitEthernet0/3  : address is 6400.f123.bfe1, irq 9
 4: Ext: Management0/0       : address is 6400.f123.bfdd, irq 11
 5: Int: Not used            : irq 11
 6: Int: Not used            : irq 5

Licensed features for this platform:
Maximum Physical Interfaces    : Unlimited
Maximum VLANs                  : 150
Inside Hosts                   : Unlimited
Failover                       : Active/Active
VPN-DES                        : Enabled
VPN-3DES-AES                   : Enabled
Security Contexts              : 2
GTP/GPRS                       : Disabled
SSL VPN Peers                  : 2
Total VPN Peers                : 750
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials          : Disabled
Advanced Endpoint Assessment   : Disabled
UC Phone Proxy Sessions        : 2
Total UC Proxy Sessions        : 2
Botnet Traffic Filter          : Disabled

This platform has an ASA 5520 VPN Plus license.

Labels:
0 Helpful
2 Replies 2

jedavis
Level 4
Level 4

‎02-05-2015 08:03 AM

Robert,

 

Well first, these config statements

static (Comcast, inside) tcp 0.0.0.0 80 0.0.0.0 80

static (Comcast, inside) tcp 0.0.0.0 443 0.0.0.0 443

are not routing statements, they are NAT statements.

 

But what are you trying to do?  Route the return traffic out the same interface that it arrived on?

 

-JD

0 Helpful

Robert Murdock
Level 1
Level 1
In response to jedavis

‎02-05-2015 08:25 AM

I am trying to force my WWW and 443 traffic out to use my comcast ISP.  All else will use the Verizon ISP as I have clients that connect to internal servers over the Verizon T1 circuit.  Currently on my ASA i have a 2811 router thats bringing in my T1s, and the Comcast Modem that i would like to use for WWW and 443.  I had previously had it working by connecting the Comcast Modem to the 2811 router and set up a PBR on my 2811 router.  This was working but it just quit all of a sudden and I cannot figure out what happened.  We've replaced hardware but still get nothing.  My PBR was similar to this.  Im hoping someone can see something wrong with my PBR as this setup was working.  I just wanted to try the ASA route because i know the ASA can do dual ISPs.  I just would like to split that traffic (no load sharing)

interface MFR1
 mtu 4470
 no ip address
 no ip redirects
 no ip proxy-arp
 encapsulation frame-relay IETF
 no ip mroute-cache
 load-interval 30
 no arp frame-relay
 frame-relay multilink bid to u300785
 frame-relay lmi-type ansi
!
interface MFR1.500 point-to-point
 ip address 152.179.XX.XX 255.255.255.252
 ip access-group 110 in
 no ip redirects
 no ip proxy-arp
 no cdp enable
 no arp frame-relay
 frame-relay interface-dlci 500 IETF   
!
interface FastEthernet0/0
 description to ASA5520
 ip address 65.216.XX.XX 255.255.255.248
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip policy route-map COMCAST_TRAFFIC
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description Interface to COMCASTMODEM
 ip address 23.31.XX.XX 255.255.255.248
 no ip redirects
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no cdp enable

!

!

!

access-list 120 permit tcp any any eq www
access-list 120 permit tcp any any eq 443
access-list 120 permit udp any any eq domain
access-list 120 deny   udp any any eq ntp
access-list 120 deny   udp any any eq 8933
access-list 120 deny   udp any any eq 8943
access-list 120 deny   udp any any eq 19560
access-list 120 deny   udp any any eq 65535
access-list 120 deny   tcp any any eq 1025
access-list 120 deny   udp any any eq 1025
access-list 120 deny   tcp any any eq 8933
access-list 120 deny   tcp any any eq 8943
access-list 120 deny   tcp any any eq 19560
access-list 120 deny   tcp any any eq 65535
access-list 120 deny   tcp any any eq 50
access-list 120 deny   tcp any eq 51 any
access-list 120 deny   tcp any any eq 51
access-list 120 deny   tcp any eq 500 any
access-list 120 deny   tcp any eq 4500 any
access-list 120 deny   tcp any eq 50 any
access-list 120 deny   udp any eq 50 any
access-list 120 deny   udp any eq 51 any
access-list 120 deny   tcp any eq 4820 any
access-list 120 deny   tcp any eq 4823 any
access-list 120 deny   tcp any eq 4822 any
access-list 120 deny   tcp any eq smtp any
access-list 120 deny   tcp any eq 5223 any
access-list 120 deny   ahp any any
access-list 120 deny   ip any any
access-list 120 deny   tcp any eq 8421 any
access-list 120 deny   tcp any eq 3024 any
access-list 120 deny   udp any eq 3024 any
access-list 120 deny   udp any eq 8421 any

!

!

!

access-list 110 permit ip any any
access-list 110 deny   53 any any
access-list 110 deny   55 any any
access-list 110 deny   77 any any
access-list 110 deny   pim any any
access-list 110 deny   ip host 0.0.0.0 any
access-list 110 deny   ip 127.0.0.0 0.255.255.255 any
access-list 110 deny   ip 192.0.2.0 0.0.0.255 any
access-list 110 deny   ip 224.0.0.0 31.255.255.255 any
access-list 110 deny   ip 10.0.0.0 0.255.255.255 any
access-list 110 deny   ip 172.16.0.0 0.15.255.255 any
access-list 110 deny   ip 192.168.0.0 0.0.255.255 any
access-list 110 deny   ip 207.159.122.144 0.0.0.7 any

ip route 0.0.0.0 0.0.0.0 152.179.XX.XX

!

!

route-map COMCAST_TRAFFIC permit 10
 match ip address 120
 set ip next-hop 23.31.XX.XX

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card